Basic structure

1. Basic structure Policy Client: DN=Takuya createService(term) Agreement Factory • Utilize GSI • If negotiation succeeds and agreement is created, the agreement stores the information of “DN” of the client • This information can be stored in the agreementInitiator of gsa:ContextType, though it is URI string in the current spec. • When making agreement, the DN and the policy might be used to decide if it is allowed to make agreement or not. • When the client accesses to a service, the service looks up the DN information and decides if the access to the service is allowed or not • In a sense, agreement acts as a way of “authorization” (authentication is done using GSI) Stores DN information Agreement DN=Takuya call service: (DN = Takuya) Give the information of DN to the service Service

2. Dependent Agreement Client: DN=Takuya Agreement Factory-B createService(term) Agreement Factory-A • Utilize the delegation mechanism of GSI • Agreement-A and Service-A acts as the client (DN=Takuya) • The other process is the same as the previous example. createService(term) (DN=Takuya) Agreement-B Agreement-A DN=Takuya DN=Takuya call service: (DN = Takuya) Service-B Service-A call service: (DN = Takuya)

3. Give agreement to other entities Client: DN=Takuya Policy createService(term) Agreement Factory • Giving agreement to another entity can be implemented by setting the DN of the entity to the agreement. • If it is allowed to add the DN to the list might be decided by the policy. Add Kate to the DN list Agreement Tell GSH of Agreement (and service) DN=Takuya DN=Kate Client: DN=Kate Service call service: (DN = Kate)